As previously reported by ERM [https://bit.ly/43F3uvQ], the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023. US companies that are certified under the Data Privacy Framework (“DPF”) may now receive personal data from EU-based data exporters without the need for additional data protection safeguards.
One noteworthy change brought by the DPF is the new redress mechanism. This mechanism allows EU individuals to seek redress through their national authorities via the proposed Data Protection Review Court (“DPRC”). It is generally seen as a significant step forward in the development of EU-US data transfers. However, questions remain regarding the court’s independence and the transparency of the mechanism.
How will it work?
- EU individuals may lodge a complaint regarding a possible violation of their personal data rights arising from US signals intelligence activities to a specified “appropriate public authority” in their home country. The appropriate public authority verifies the complainant’s identity and ensures the complaint constitutes as a “qualifying complaint.”
- If the complaint is found to be qualified, it will be sent to the Civil Liberties and Privacy Officer (“CLPO”), who is part of the US Office of the Director of National Intelligence, and who will investigate the complaint.
- Following the investigation, the CLPO will notify the appropriate public authority either (i) that there was no violation or (ii) that a remediation has been issued.
- As a second step, the complainant can then, via the public authority, appeal to the Data Protection Review Court. At the DPRC, a 3-judge panel will review the CLPO’s investigation and may request additional information from the relevant authorities.
- The DPRC will then decide whether (a) the CLPO’s determination regarding whether a covered violation occurred was legally correct and (b) the remediation was consistent with the law.
- The DPRC will inform the appropriate public authority when the investigation is completed that (i) there was no violation or that (ii) a remediation has been ordered. Its decision will be final and binding.
Is the mechanism sufficient?
We can expect ongoing dialogue and collaboration between the EU and the US to ensure the DPF’s effective implementation. Nonetheless, uncertainties remain, particularly because Austrian privacy activist Max Schrems has already announced a legal challenge. Points of criticism are:
- The DPRC is an executive body, not part of the judicial branch, raising concerns about its independence and impartiality when resolving complaints from Europeans.
- Moreover, the court can only provide a simple decision without confirming or denying complainants’ exposure to US signals intelligence activities, which raises transparency questions. This lack of clarity may result in a lack of trust in the process among complainants and the public.
- The effectiveness of the redress mechanism will depend largely on its implementation in practice. It remains to be seen how easily EU individuals can access the mechanism, how quickly complaints will be handled, and if the DPRC’s decisions will genuinely address and remedy privacy violations.
For more information on the process and for assistance with the process of certifying under the Data Privacy Framework, please reach out to us at ERM.